Compromised npm packages (utils-terminal@3.2.1, logger-active@3.2.1) are abusing Hugging Face repos as exfiltration infrastructure. The packages deploy a remote access trojan (RAT) that captures keystrokes, screenshots, and crypto wallet credentials. Indicators of compromise (IOCs): - npm user: hexalpha10 / author: toskypi - 195.201.194[.]107:8010 (WebSocket C2) - c2-toskypi.onrender[.]com (HTTP C2) - huggingface[.]co/api (exfiltration endpoint) - HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftSystem64 (persistence) - MicrosoftSystem64.service (Linux systemd persistence) - \MicrosoftSystem64 (Windows scheduled task) - MicrosoftSystem64/payload.js (payload directory) Defenders: treat unexpected huggingface[.]co/api calls from non-ML workloads as suspicious.

Microsoft has identified a npm supply chain compromise impacting 90 redhat-cloud-services/* packages, including patch-client 4.0.4, insights-client 4.0.4, rbac-client 9.0.3, host-inventory-client 5.0.3, frontend-components 7.7.2, and others. The payload is a self-propagating worm that infects other npm packages and self-publishes. Each compromised package adds a malicious preinstall hook, embedding an index.js script in the package.json that silently executes “node index.js” during installation, downloads Bun, and runs a payload that steals secrets from npm, GitHub, Amazon Web Services (AWS), and Secure Shell (SSH). The added code bloats index.js from ~8KB to ~4.3MB, acting as a heavily obfuscated ROT-9 eval loader. If any of the compromised packages are installed, users and organizations should assume compromise, rotate credentials, revert to a previously trusted version, and block compromised packages. Identified compromised npm packages have been taken down, and we continue to work with the npm team. Microsoft continues to investigate this attack and will publish updates as more information is available.

Welcome @_ditro to Nipmod! He will focus on security infrastructure, including safe code execution, sandboxing architecture, latency optimization, and privacy / zero-knowledge research. He brings backend experience across automation, infrastructure optimization, and secure environments. Step by step, we are bringing in the right people to build Nipmod into something that matters.